Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
5
Helpful
7
Replies

Enable public DNS on Cisco ASA 5516-X

Rebecca NMB
Level 1
Level 1

‎08-15-2022 08:03 AM

Hi all

I'm inexperienced with networking/firewall/DNS, so please forgive me if I use the incorrect terms or if I don't make too much sense.

I work in a very small IT department and have been thrown in to managing the firewall.

I've found an error where we get 'user identity: DNS lookup for 'FQDN' failed, reason:Timeout or unresolvable'

I think this may be because we need to add a public DNS address and possibly enable DNS Lookup for more interfaces.

Would this be right?

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎08-15-2022 09:14 AM

https://www.petenetlive.com/KB/Article/0000969

check this link

0 Helpful

Marius Gunnerud
VIP
VIP

‎08-15-2022 11:03 PM

What is the site that you are unable to resolve?  and where does your current DNS configuration point to?  If you log onto this DNS server is it able to resolve the FQDN that you are having issues with?

Adding more DNS entries to the ASA will not help much as it uses a top down first match logic, so if the first IP in the list of DNS servers is reachable it will chose that DNS server.  A better solution would be to identify why your current DNS server is not able to resolve the FQDN and fix that problem on the DNS server.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎08-16-2022 03:34 AM

it's an object in the asa that's mapped to a FQDN that is unresovleable...

object network FQDN_sitename.xxx
fqdn v4 sitename.xxx

if that object is in an access rule, the asa will query the site over and over and over and over.

need to remove the access rule and most likely the object...

Thanks,
Jitendra
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jitendra Kumar

‎08-16-2022 04:15 AM

What is your DNS configuration on your ASA?  Does it point to an internal DNS server?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Rebecca NMB
Level 1
Level 1

‎08-16-2022 07:40 AM

Thank you for your replies.

We are trying to reach public.dhe.ibm.com.

The DNS configured is our internal DNS server. I can't ping public.dhe.idm.com or it's ip address from the server.

Marius Gunnerud
VIP
VIP
In response to Rebecca NMB

‎08-16-2022 11:47 PM

Are you running ASA or FTD code on your ASA5516-X?

on the ASA's CLI issue the command show run dns and post the output here.

Go to the DNS server and open a command prompt and issue the command nslookup public.dhe.ibm.com and post the output here.  If it does not return an IP for domain and your ASA does DNS lookup to that DNS server, then that is the problem.  Either the ASA will need to use a different DNS server or you will need to add a DNS forwarder for the public.dhe.ibm.com domain.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card